SYMBOLCOMMON_NAMEaka. SYNONYMS
win.liteduke (Back to overview)

LiteDuke

Actor(s): APT 29


According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References
2020-05-18One Night in NorfolkKevin Perlow
@online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } Looking Back at LiteDuke
LiteDuke
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
Yara Rules
[TLP:WHITE] win_liteduke_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b750c 89d8 e8???????? 85c0 750c 807b4300 750a }
            // n = 7, score = 100
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   89d8                 | mov                 eax, ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   807b4300             | cmp                 byte ptr [ebx + 0x43], 0
            //   750a                 | jne                 0xc

        $sequence_1 = { 8b55d0 897208 8b7e20 85ff 740a 8b0a 81c900000001 }
            // n = 7, score = 100
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   897208               | mov                 dword ptr [edx + 8], esi
            //   8b7e20               | mov                 edi, dword ptr [esi + 0x20]
            //   85ff                 | test                edi, edi
            //   740a                 | je                  0xc
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   81c900000001         | or                  ecx, 0x1000000

        $sequence_2 = { c745a0ffffffff c745a4ffffffff c745c800000000 c745cc00000000 8b55c8 8b45cc 09d6 }
            // n = 7, score = 100
            //   c745a0ffffffff       | mov                 dword ptr [ebp - 0x60], 0xffffffff
            //   c745a4ffffffff       | mov                 dword ptr [ebp - 0x5c], 0xffffffff
            //   c745c800000000       | mov                 dword ptr [ebp - 0x38], 0
            //   c745cc00000000       | mov                 dword ptr [ebp - 0x34], 0
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   09d6                 | or                  esi, edx

        $sequence_3 = { e8???????? e9???????? b89f91c661 c78548ffffffa591c661 e9???????? c6461e01 e9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   b89f91c661           | mov                 eax, 0x61c6919f
            //   c78548ffffffa591c661     | mov    dword ptr [ebp - 0xb8], 0x61c691a5
            //   e9????????           |                     
            //   c6461e01             | mov                 byte ptr [esi + 0x1e], 1
            //   e9????????           |                     

        $sequence_4 = { a1???????? 50 8b00 ff5008 a1???????? 50 8b00 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   50                   | push                eax
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   ff5008               | call                dword ptr [eax + 8]
            //   a1????????           |                     
            //   50                   | push                eax
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_5 = { 8b45f4 8b5df8 c9 c20400 55 89e5 83ec18 }
            // n = 7, score = 100
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18

        $sequence_6 = { 8b55d0 8b75cc 8b4dd4 8b460c 89410c 40 89460c }
            // n = 7, score = 100
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b75cc               | mov                 esi, dword ptr [ebp - 0x34]
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   40                   | inc                 eax
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_7 = { 8b8d6cffffff 8b511c 8b4914 85c9 0f8484000000 89b578ffffff d905???????? }
            // n = 7, score = 100
            //   8b8d6cffffff         | mov                 ecx, dword ptr [ebp - 0x94]
            //   8b511c               | mov                 edx, dword ptr [ecx + 0x1c]
            //   8b4914               | mov                 ecx, dword ptr [ecx + 0x14]
            //   85c9                 | test                ecx, ecx
            //   0f8484000000         | je                  0x8a
            //   89b578ffffff         | mov                 dword ptr [ebp - 0x88], esi
            //   d905????????         |                     

        $sequence_8 = { 8945b4 8b45b0 0345b4 894608 0345b4 89460c 8d0488 }
            // n = 7, score = 100
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   0345b4               | add                 eax, dword ptr [ebp - 0x4c]
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   0345b4               | add                 eax, dword ptr [ebp - 0x4c]
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   8d0488               | lea                 eax, [eax + ecx*4]

        $sequence_9 = { c744240800000000 c744240402000000 893c24 e8???????? 8b4e04 31d2 39ca }
            // n = 7, score = 100
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240402000000     | mov                 dword ptr [esp + 4], 2
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   31d2                 | xor                 edx, edx
            //   39ca                 | cmp                 edx, ecx

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules